Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Rootkit and trojan horses [RESOLVED]

darko2021

Posted 13 February 2008 - 06:17 AM

darko2021

Member

Member

66 posts

Evey time I restart my computer it says that my cpu has changed, also I keep getting notifications that a rootkit or a trojan is trying to load onto my computer. in addition, most of the time my wifi connects to an unknown access point so I can't even get internet most of the time. Please Help!!

Event Record #/Type10042 / WarningEvent Submitted/Written: 02/12/2008 07:21:00 AMEvent ID/Source: 1524 / UserenvEvent Description:Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type99161 / ErrorEvent Submitted/Written: 02/13/2008 07:07:27 PMEvent ID/Source: 7016 / Service Control ManagerEvent Description:The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type99160 / WarningEvent Submitted/Written: 02/13/2008 06:17:06 PMEvent ID/Source: 1003 / DhcpEvent Description:Your computer was not able to renew its address from the network (from theDHCP Server) for the Network Card with network address 001217A13D60. The followingerror occurred: %%121.Your computer will continue to try and obtain an address on its own fromthe network address (DHCP) server.

Rorschach112

Posted 13 February 2008 - 06:26 PM

You have two anti-virues, AVG and Avast, you need to remove one of these

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.

Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.

There were no red entries for anything. The only thing I did notice was under the message hooks tab. The process paths for these are as follows:
C:\WINDOWS\system32\ati2evxx.exe
C:\Programfiles\SpyCatcher\Protector.exe
These two were under the WH_KeyBoard

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from here

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :http://windowsupdate.microsoft.com/This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:SpywareBlaster protects against bad ActiveXIE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all Have a look at this tutorial for IE-Spyad here

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop upblocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'Here

Thank you for your patience, and performing all of the procedures requested.

darko2021

Posted 18 February 2008 - 10:24 PM

darko2021

Member

Topic Starter

Member

66 posts

I still seem to be having the same issue. I keep getting a virus scan alert telling me that a rootkit is tring to embed itself. Also every time I restart my computer I get a message before windows loads saying that my computer has changed and gives me the option to go into my BIOS. Here is a new Hijackthis.

Advertisements

Rorschach112

Posted 19 February 2008 - 05:54 AM

Double click combofix.exe and follow the prompts.When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next replyNote: Do not mouseclick combofix's window while its running. That may cause it to stall

keep getting a virus scan alert telling me that a rootkit is tring to embed itself.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :http://windowsupdate.microsoft.com/This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:SpywareBlaster protects against bad ActiveXIE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all Have a look at this tutorial for IE-Spyad here

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop upblocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'Here

Thank you for your patience, and performing all of the procedures requested.